VentureBeat commissioned an exclusive survey of technology executives at companies of at least 250 employees. The results show that, yes, the push to cloud services is gaining momentum: It’s already playing a significant role in IT executives’ decisions about what technologies to deploy, and many large companies are already embracing cloud services to a significant degree.

The main reasons for embracing the cloud are cost reduction, cost control and agility of deployment.

However, companies are holding back on hosting their most critical business applications in the cloud. Concerns over security, regulatory compliance and the difficulty of integrating complex apps into a new, internet-based infrastructure are the big concerns. There’s also some reluctance to commit business applications to a cloud provider that might suffer from occasional outages or that could be affected if legal actions target another one of the provider’s clients.

What cloud providers need to do to win over the next wave of customers seems clear: Ensure the security and reliability of services, facilitate integration and migration of existing apps, and provide assurances that customers will be able to move their apps and data elsewhere if need be.

We created a simple questionnaire with free-form answers to three key questions: Why are you using (or considering) cloud services, in what cases aren’t you considering using it, and what needs to change in the next year to speed adoption of cloud services.

We used Maven, a network of qualified domain experts that are available for “micro-consulting” (basically answering questions like these) in exchange for fees. Maven directed our questionnaire to a set of IT executives working at companies of 250 employees or more.

Of the 25 respondents, 64% were chief information officers, vice presidents or a similar executive title, while the remainder were senior managers or IT directors. 40 percent were at companies of 250-1,000 employees, and 28 percent were at companies with more than 10,000 employees. All have had decision-making responsibilities for choosing cloud-based technologies within the past 6 months.

Here are the specific questions we asked, along with a sampling of answers to each.

Why cloud?

Many respondents cited cost as the primary factor, with rapid implementation or simplification showing up in many other responses. Variability of cost, flexibility of deployment and “agility” were other reasons for considering cloud services.

Some pointed to specific accounting reasons: The desire to avoid capital expenditures (CapEx) and move costs to operating expenses (OpEx) or, perhaps, bury them in employee expense reports — a trick I’ve used at previous jobs to get needed services that IT wouldn’t approve.

Specific responses included:

“Cost reduction and simplification of support and maintenance.”

“Managing IT services infrastructure and owning it is not core to our business — in addition we cannot ever hope to stay up to date with technology without funding which would have to be taken from elsewhere in our business.”

“Major shift from CapEx to expense budget.”

“A tablet approach allows the use of a pdf annotation application and eliminates paper for this and board report documents as examples. Cloud storage, such as DropBox or Box can be used to upload the weekly files to the tablet. … [Bring Your Own Device] is another driver — the cloud delivery methods can eliminate the need to manage a user’s device directly and instead deliver PIM, email and other data to a secure canister on the device.”

Why not cloud?

Please name a process, workflow, application, or data set that your organization has deliberately decided NOT to move to the cloud. Please explain why you made this decision.

Keeping control of mission-critical business processes, ensuring security and maintaining lower costs on certain services were the main reasons cited for not using the cloud. For example, one respondent noted that large files were simply cheaper to store on local file servers at this point. Similarly, one company kept its own Exchange servers, noting that with a really large installation (over 1,500 seats) it was cheaper to maintain in-house.

Applications that have been carefully woven into a company’s business processes, integrated with a host of other software, is also difficult to move to the cloud.

In some cases, security concerns are particularly pressing, such as with medical records governed by HIPAA.

Specific responses included:

“We would like to cut costs and simplify the support and maintenance efforts involved in storing [large] files. But, to date, it is much more economical to maintain that storage in-house.”

“Core policy administration systems: these are largely back office systems, they are large-scale legacy systems with a great deal of intellectual capital as well as containing our customers’ and agents’ personally identifiable information (PII), so any kind of security breach, or outage, would pose a significant business risk.”

“Clinical applications. Not quite sure of the HIPAA complications of storing Patient Data in a public cloud.”

“The bank’s core applications are considered too sensitive to move to a cloud model. Cloud vendor security cannot be reliably assessed or guaranteed, a big concern for heavily regulated industries. Application availability cannot be reasonably assured as well and there are several cases that can be pointed to in this area. A vendor’s environment being seized by the FBI has also affected some companies using these services. Having an internal cloud delivery model that leverages two internal datacenters is what we have implemented to address this concern.”

What’s next?

Please describe at least three key pain points (e.g. governance, spend management, multiple languages/frameworks, open standards, interop, etc.) that you believe will be solved in the next year to make cloud adoption easier. Why do you choose these items?

Management of the environment in the cloud was a concern of several respondents. How do you maintain your software, enforce service-level agreements, and make sure you’re not completely locked into any one vendor?

The answers here also hearkened back to the concerns over regulatory compliance with, say, banking regulations or HIPAA. Trusting data to a cloud provider is a whole different ballgame when that trust puts you at risk of very severe regulatory penalties.

Specific responses included:

“Comfort with the term cloud and education to understand that it’s not an either/or decision, the cloud can be private, hybrid or public depending on needs.”

“Support for multiple Hypervisors, especially HyperV, because customers are demanding it and most cloud providers are mature enough with their first VMWare support…but recognize they need to support others in the event of hybrid cloud setups.”

“Bandwidth, spend management, and open standards are current pain points that I expect to be resolved in the next year.”

“Ability to manage the dynamic environment that results from cloud adoption, the ability to manage SLA’s, performance, availability and reliability across multi-vendor cloud solutions, ability to maintain portability so one can still have strength negotiating contract renewals.”